Hi,
The problem with kerberos is to know which SPN is used to encrypt ticket!
- Kerberos protocol allows a user to request a ticket provided by Kerberos Distribution Center to access the target resource. The ticket can only be decrypted by the owner of the resource. The owner of a resource is the unique AD element with the servicePrincipalName of the resource.
- Web services (with or without ssl) Service Principal Names always starts with “http/” pattern. By default, a machine object have servicePrincipalNames host/, host/ and each service type hosted by the machine (ex : IIS http/ and http/)
In AD the resource owner can be:
- Machine hosting web application
- Web Application service account
If the resource owner is the machine, there is no solution. if you have 2 servers, you have 2 different resource owner and the client won't know which one will decrypt the token.
the solution is to be sure the Web application account is the same on the 2 IIS server, have the SPN defined like HTTP/myapp.company.com
powershell Command to configure it on AD (same as setspn)
Set-AdUser -Identity svc_app1 -ServicePrincipalNames @{Add="host/myapp.company.local"}
make sure the web app pool is defined to decrypt token with web app account and no the machine account (option
useAppPoolCredentials
)
Powershell to configure it on IIS server
Set-WebConfigurationProperty /system.webServer/security/authentication/windowsAuthentication -Name useAppPoolCredentials -value $true -PSPath IIS:\ -Location SITE-myapp.company.com